ChangePassword
Event
Allows an IAM user to change their own AWS Management Console login password.
Security Context
- Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.
- Accessing credential stores is a high-priority adversary objective that can unlock access to additional services, accounts, and environments.
- Actions that disrupt cloud services can have cascading effects on dependent systems and business operations.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Persistence Impact Credential Access
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.
- T1531 — Account Access Removal — Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts.